[DSE-Dev] [refpolicy] Debian: ldd /sbin/udevd, need to use interactive fds

Mon Sep 15 13:36:30 UTC 2008

On Fri, Sep 12, 2008 at 04:29:22PM +0200, Václav Ovsík wrote:
> While I was reading this, I opened /usr/bin/ldd to look in it and was
> a bit surprise with a block:
> 
> => # The following use of cat is needed to make ldd work in SELinux
> => # environments where the executed program might not have permissions
> => # to write to the console/tty.  But only bash 3.x supports the pipefail
> => # option, and we don't bother to handle the case for older bash versions.
> => if set -o pipefail 2> /dev/null; then
> =>   try_trace() {
> =>     eval $add_env '"$@"' | cat
> =>   }
> => else
> =>   try_trace() {
> =>     eval $add_env '"$@"'
> =>   }
> => fi
> 
> I must completely overlook this for the first time. I am going to play
> with it a bit. I hope some correction of this can eliminate our headache
> on the policy side. I will write a next week.

A little improvement of workaround already part of ldd:

--- /usr/bin/ldd.orig	2008-07-29 07:21:35.000000000 +0200
+++ /usr/bin/ldd	2008-09-15 12:22:01.000000000 +0200
@@ -114,7 +114,7 @@
 # option, and we don't bother to handle the case for older bash versions.
 if set -o pipefail 2> /dev/null; then
   try_trace() {
-    eval $add_env '"$@"' | cat
+    eval $add_env '"$@"' <&- 2>&1 | cat
   }
 else
   try_trace() {

That is - all inherited file descriptors connected to an user terminal
are moved away. The SE Linux denial disappeared. Sorry for noise with
ldd domain, it can be forgotten.
Reported as bug in Debian BTS:
...hmm, still not arrived assignment after several hours...
I will send a bug number later.
Regards
-- 
Zito

